honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use java sys prop override in tests instead of flag to createPermissions

This commit is contained in:
Ryan Ernst 2015-05-04 15:28:08 -07:00
parent 072b90296a
commit b889b3b437
2 changed files with 27 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/main/java/org/elasticsearch/bootstrap/Security.java
View File

@ -42,7 +42,7 @@ public class Security {
*/
static void configure(Environment environment) throws Exception {
// enable security policy: union of template and environment-based paths.
Policy.setPolicy(new ESPolicy(createPermissions(environment, true)));
Policy.setPolicy(new ESPolicy(createPermissions(environment)));
// enable security manager
System.setSecurityManager(new SecurityManager());
@ -52,13 +52,11 @@ public class Security {
}
/** returns dynamic Permissions to configured paths */
static Permissions createPermissions(Environment environment, boolean addTempDir) throws IOException {
static Permissions createPermissions(Environment environment) throws IOException {
// TODO: improve test infra so we can reduce permissions where read/write
// is not really needed...
Permissions policy = new Permissions();
if (addTempDir) {
addPath(policy, PathUtils.get(System.getProperty("java.io.tmpdir")), "read,readlink,write,delete");
}
addPath(policy, PathUtils.get(System.getProperty("java.io.tmpdir")), "read,readlink,write,delete");
addPath(policy, environment.homeFile(), "read,readlink,write,delete");
addPath(policy, environment.configFile(), "read,readlink,write,delete");
addPath(policy, environment.logsFile(), "read,readlink,write,delete");

27
src/test/java/org/elasticsearch/bootstrap/SecurityTests.java
View File

@ -40,8 +40,15 @@ public class SecurityTests extends ElasticsearchTestCase {
Settings settings = settingsBuilder.build();
Environment environment = new Environment(settings);
// we pass false to not include temp (or it will grant permissions to everything here)
Permissions permissions = Security.createPermissions(environment, false);
Path fakeTmpDir = createTempDir();
String realTmpDir = System.getProperty("java.io.tmpdir");
Permissions permissions;
try {
System.setProperty("java.io.tmpdir", fakeTmpDir.toString());
permissions = Security.createPermissions(environment);
} finally {
System.setProperty("java.io.tmpdir", realTmpDir);
}
// the fake es home
assertTrue(permissions.implies(new FilePermission(esHome.toString(), "read")));
@ -49,6 +56,8 @@ public class SecurityTests extends ElasticsearchTestCase {
assertFalse(permissions.implies(new FilePermission(path.toString(), "read")));
// some other sibling
assertFalse(permissions.implies(new FilePermission(path.resolve("other").toString(), "read")));
// double check we overwrote java.io.tmpdir correctly for the test
assertFalse(permissions.implies(new FilePermission(realTmpDir.toString(), "read")));
}
/** test generated permissions for all configured paths */
@ -64,7 +73,15 @@ public class SecurityTests extends ElasticsearchTestCase {
Settings settings = settingsBuilder.build();
Environment environment = new Environment(settings);
Permissions permissions = Security.createPermissions(environment, false);
Path fakeTmpDir = createTempDir();
String realTmpDir = System.getProperty("java.io.tmpdir");
Permissions permissions;
try {
System.setProperty("java.io.tmpdir", fakeTmpDir.toString());
permissions = Security.createPermissions(environment);
} finally {
System.setProperty("java.io.tmpdir", realTmpDir);
}
// check that all directories got permissions:
// homefile: this is needed unless we break out rules for "lib" dir.
@ -84,5 +101,9 @@ public class SecurityTests extends ElasticsearchTestCase {
}
// logs: r/w
assertTrue(permissions.implies(new FilePermission(environment.logsFile().toString(), "read,readlink,write,delete")));
// temp dir: r/w
assertTrue(permissions.implies(new FilePermission(fakeTmpDir.toString(), "read,readlink,write,delete")));
// double check we overwrote java.io.tmpdir correctly for the test
assertFalse(permissions.implies(new FilePermission(realTmpDir.toString(), "read")));
}
}